$20 YoLink IoT Gateway Vulnerabilities Put Home Security at Risk

Cybersecurity researchers at Bishop Fox have revealed security vulnerabilities in the popular, inexpensive YoLink Smart Hub (v0382), leaving users exposed to remote attackers. The hub that costs just $20 serves as a central gateway that manages all connected smart locks, sensors, and plugs. These vulnerabilities, publicly disclosed today and tracked under four separate CVEs, show the risks involved in connecting low-cost devices to our homes.

****How Hackers Can Take Over Your YoLink Devices****

Beginning their work “earlier this year,” researchers discovered multiple zero-day vulnerabilities (flaws previously unknown and unpatched). They physically examined the device, noting that it used a common ESP32 System-on-Chip. This allowed them to immediately analyse its inner workings.

A circuit board showing the ESP32 chip (Image credit: Bishop Fox)

As the central point for the entire YoLink system, the hub acts as a single point of control. It communicates with your mobile app using the MQTT protocol and distributes messages to devices using a unique radio technology called LoRa or LoRaWAN. This complex communication path was faulty, researchers found.

The three-part communication path: Phone → Cloud → Hub → Lock (Image credit: Bishop Fox)

One of the most serious issues is an ‘authorization bypass,’ tracked as CVE-2025-59449 and CVE-2025-59452 (Insufficient Authorization Controls). The most severe of these, CVE-2025-59449, rated as critical, means the system does not properly verify a user’s identity before granting access.

This flaw allows a hacker who obtains predictable device IDs to remotely control devices belonging to other YoLink users. While investigating, researchers confirmed the ability to operate a smart lock in a different user’s home.

Beyond the access flaw, two more critical issues were found. The device sends sensitive data, including credentials and Wi-Fi passwords, without any protection, tracked as CVE-2025-59448 (Insecure Network Transmission).

This unencrypted MQTT communication exposes the data in clear, plain text, making it easily stealable. Additionally, session flaws (CVE-2025-59451: Improper Session Management) mean an attacker who gains access could keep that unauthorized control for a long time.

Attack Scenario (Image credit: Bishop Fox)

****What You Need to Do Now****

The implications are severe for anyone using the v0382 hub. Because the device controls home entry points like smart locks and garage door openers, a malicious actor could potentially “obtain physical access to YoLink customers’ homes,” Bishop Fox’s research team explained in the technical blog post, shared with Hackread.com ahead of its publishing.

This research makes a large number of users vulnerable right now because the manufacturer, YoSmart, has not yet provided a patch or fix. Until a patch is released, users are advised to treat the hub as unsafe. It is recommended that you disconnect it from essential home networks, avoid using it for anything that controls physical access to the home, and consider switching to a vendor that offers regular security updates.